Hackers Take On ISIS

Hackers with GhostSec are fighting ISIS through social media and the Deep Web.
Hackers Take On ISIS
An operative of the hacker group GhostSec works at a laptop. The organization was formed to fight ISIS terrorists by targeting their online fundraising and recruitment. (GhostSec)
Joshua Philipp

ISIS terrorists were planning to launch a suicide attack on a market frequented by British and Jewish tourists in Djerba, Tunisia. The attack was stopped, however, by an unlikely group of heroes. Hackers had been watching ISIS social media accounts and caught wind of the plot before it could happen.

They passed the information to a government contact, and “two days later we were informed that arrests were made per our intelligence,” said the hacker called DigitaShadow, operations director of the hacker group GhostSec, in an email interview.

ISIS was planning a similar attack on New York City, which the hackers may have also played a role in stopping. “A prominent Islamic State [ISIS] account was relaying information that six terror cells in NYC would be activated, among other accounts stating that NYC would burn,” DigitaShadow said.

Ghost Security (GhostSec) operates without government oversight, and without the red tape or legal restrictions that inhibit government action. It can infiltrate ISIS recruitment networks, launch attacks on terrorist websites, and not worry about political fallout or public scrutiny. Its efforts to fight back against terrorists on the online frontier may be helping lay the foundations for a new form of counterterrorism.

GhostSec was started by a group of highly skilled hackers, after two Islamist gunmen raided the Paris office of satirical newspaper Charlie Hebdo on Jan. 7, killing 12 people and wounding 11. DigitaShadow said after the attacks, “Many individuals including ourselves realized first hand that this was not an issue isolated to the Middle East and that everyone was at risk of becoming a victim of terrorism.”

The new hacker group was formed, DigitaShadow said, “to combat the Islamic State (ISIS) online in an attempt to slow their online recruitment and cripple their digital infrastructure.”

Their go-between for law enforcement and intelligence officials is Michael Smith, principal of national security company Kronos Advisory.

Smith confirmed in a phone interview that information from GhostSec “was useful in helping coordinate an effort to assail an attack in Tunisia.” He said they had provided him with information on the pending attack, and “I was able to look at it and assess the counterterrorism community would have an interest in the material.”

He was unable to confirm whether GhostSec’s information helped stop the attack in New York, however. He said it’s rare to get feedback on data used for counterterrorism, yet noted he “knew there was value” in the information GhostSec provided.

The Middle Ground

Over the last several months, GhostSec claims it has taken out close to 60,000 ISIS social media accounts that were being used for recruitment and sending threats, and shut down 100 ISIS websites used for recruitment, spreading propaganda, and planning attacks. They also quietly monitor many terrorist websites, including those hidden in the Deep Web.

GhostSec has leaked lists of some of its targets, including IP addresses where the websites are hosted. A recent leak included a list of 791 Twitter accounts, 11 Facebook pages, and 52 emails used by ISIS members and supporters. Epoch Times was able to independently verify some of the information.

DigitaShadow, an operations director of the hacker group GhostSec, stands in front of an American flag. The organization is fighting ISIS online. (GhostSec)
DigitaShadow, an operations director of the hacker group GhostSec, stands in front of an American flag. The organization is fighting ISIS online. (GhostSec)

GhostSec works in a gray area. Hackers typically frown on cooperating with governments, and governments rarely trust hacker groups that conceal their identities.

Smith said that given GhostSec’s level of skill—and its understanding that even information on government networks is not secure, it’s “quite understandable they would not want to be known.”

GhostSec also works closely with another hacker group known as CtrlSec (Control Section). It also collects some intelligence from the hacker collective Anonymous, if the information seems accurate, but its relations with the group are mixed. DigitaShadow said, “The fact is that we do work with government agencies, which most of Anonymous would disagree with.”

According to Smith, GhostSec demonstrates a lot of self-restraint in order to maintain its relations with the government. He noted, in particular, that many ISIS websites are hosted on privately held servers based in the United States, and GhostSec avoids attacking these sites, as doing so would be seen as attacking U.S. infrastructure.

“They’re very careful to not do a lot of that because they recognize it’s something they could get into a great deal of trouble for,” Smith said.

Smith said the United States still lacks clear regulation to govern content hosted on U.S. servers, and for groups like ISIS, this “has become an attractive thing for them to exploit. There’s a growing trend of them using servers in the United States to host their websites and forums.”

For GhostSec, the reasoning for walking this fine line is simple. Its focus is on uprooting ISIS networks and preventing attacks, and it'll take help where it can find it.

“Our reporting of intelligence to the governments of the world is critical to the security of nations and their people,” DigitaShadow said. “The Islamic State [ISIS] poses a risk to everyone from the streets of Paris, France to small town America. Everyone is at risk and someone must oppose them.”

Smith said GhostSec has demonstrated its skills on several occasions. He gave a recent example, where a group affiliated with ISIS leaked details on over 1,000 federal employees. The source was unclear, since it was hosted on mirror websites. He said, “GhostSec’s people were able to locate the actual site where the material was presented.”

Digital Counterterrorism

ISIS has brought a new problem to the desks of officials in the military and government.
It has raised a core question, of how do you fight an enemy that builds its ranks and spreads its propaganda using the Internet.

The International Center for Counter-Terrorism at The Hague questioned in a March 2015 report how to counter the narrative of the “cyber jihad.” It notes that close to 20,000 people from 90 countries have joined the fight in Iraq and Syria, who were “spurred in part by large-scale jihadist propaganda.”

“So far, authorities in their countries of origin have not been able to address the jihadist radicalization messages transmitted via the Internet and social media,” it states.

The British military recently found its answer by forming the 77th Brigade, which is focused on nonviolent psychological warfare, including operations to counter the online narratives being spun by ISIS.

Meanwhile, investigators in the United States are overwhelmed by the sheer volume of online activity from ISIS. A recent bulletin from the Department of Homeland Security and the National Counterterrorism Center, cited by Fox News, stated that U.S. investigators can’t keep up with online activities of ISIS and its supporters.

It stated they’re having trouble “differentiating those supporters focused only on promoting pro-ISIL rhetoric, which may be protected speech, [versus] detecting those prepared to engage in violence on the group’s behalf.”

Smith said ISIS is able to exploit unregulated parts of the Internet, with little trouble. “I understand the majority of Islamic activity takes place on the Deep Web,” he said, noting that “the Islamic State has used the Internet as a virtual safe haven.”

While law enforcement agencies are just beginning to scratch the surface of the Deep Web, Smith noted it’s an area already familiar to the hacker community.

The logo of GhostSec, also called Ghost Security. The hacker organization was created to fight online propaganda and recruitment used by ISIS terrorists. (GhostSec)
The logo of GhostSec, also called Ghost Security. The hacker organization was created to fight online propaganda and recruitment used by ISIS terrorists. (GhostSec)

This is where GhostSec comes in. What they’re doing, and the effectiveness of their efforts, could very well set a precedent for near-future efforts to fight terrorism.

GhostSec is divided into four divisions. Its operations team oversees the entire unit and gives directions, its technology team maintains tools to fight ISIS, its intelligence team infiltrates ISIS networks and gathers information—including on the Deep Web—while its research team collects data on ISIS news and propaganda.

“Our operatives are varied and from around the world with backgrounds in military and computer security,” DigitaShadow said, noting that unlike government agencies, “we do not only monitor the enemy, but we use our offensive capabilities to cause damage.”


ISIS is widely regarded as being more tech-savvy than most terrorist organizations. The most glaring element of ISIS social media efforts is its execution videos, where its members seem to revel in finding new ways to kill people.

The shock value often brings ISIS attention from news outlets around the world, and the terrorists use the violent videos both to spread their message and to recruit new members.

Not everyone is for taking down ISIS propaganda, however. Some experts argue that the bloody videos cause the group more harm than good. Terrorism expert and Northeastern University political science professor Max Abrahms noted it has actually led many countries—and even some terrorist organizations—to rise up against ISIS.

Abrahms wagered that if you showed even your craziest friend one of the ISIS execution videos, “they'd probably be disgusted. … The very typical response to this propaganda is not to be attracted to the Islamic State, but to be repulsed.”

Even the Taliban condemned a recent ISIS video. In the video, ISIS terrorists buried explosives, brought out blindfolded Afghan tribal leaders and villagers, then had them kneel over the ground where they were beheaded by the explosions. According to the International Business Times, the Taliban said the “brutal actions” were “intolerable.”

Abrahms said in a phone interview there’s no doubt that ISIS is attracting new recruits through social media, yet it is mainly recruiting people who were already radicalized. The other side of the picture is that ISIS propaganda is causing nations to rise against it.

He noted that the United States got involved in fighting ISIS, after the group released a video where it killed journalist James Foley. Jordanians started fighting ISIS after a video where the terrorists burned alive one of Jordan’s pilots, Lt. Muath al-Kaseasbeh. Egypt started fighting ISIS, after it released a video of the members beheading 21 Egyptian Coptic Christian migrant workers.

The list of nations and movements joining the fight against ISIS, after being repulsed by ISIS propaganda, could go on for some time.

“Because Islamic State uses violence so brutally, then brags about it, not only has the local population turned against the group, and not only have governments turned against it, but even other rebel groups are less sure about joining with the group,” Abrahms said.

Taking this into account, the ISIS social media campaigns actually harm the group. He said, “I find it expedites their demise by spreading all the terrible things the terrorists do.”

While Abrahms holds that ISIS is only destroying itself with its violent propaganda, its other online activities do pose a serious threat—particularly its direct communication channels, where it can train terrorists abroad on bomb-making or bring in new members with desired skills.

While GhostSec targets the ISIS propaganda channels, DigitaShadow noted that the terrorists use many of their outlets for multiple purposes. Bringing down their propaganda outlets likewise degrades their efforts to recruit new members.

“The Islamic State is very dependent on the Internet and social media, and use these platforms for their main communications,” DigitaShadow said. “Crippling their infrastructure saves lives on the ground and slows their ability to recruit new fighters, thus saving lives on the battlefield.”

Joshua Philipp is senior investigative reporter and host of “Crossroads” at The Epoch Times. As an award-winning journalist and documentary filmmaker, his works include "The Real Story of January 6" (2022), "The Final War: The 100 Year Plot to Defeat America" (2022), and "Tracking Down the Origin of Wuhan Coronavirus" (2020).
Related Topics